NAT on Local side



  • Hello. I am hoping someone can assist me.

    I am trying to forward everything that tries to go outside my network on port 80 to a Windows Proxy server.

    This is the rule I have setup:
    NAT/Port Forward
    Interface: LAN
    Protocol: TCP
    Source Address: ![My Proxy Server IP] (I don't want it to use this rule if the request is coming from the proxy)
    Dest. Address: ![LAN Address] (I want to be able to access pfSense GUI still)
    Dest. Ports: 80 (HTTP)
    NAT IP: [My Proxy Server IP]
    NAT Port: 808 (This is the address my Proxy listens on)

    However, it doesn't work at all. I tried even changing the IP to a different machine to see if I can no longer get out at all on port 80 from my client, but I still can. It's like the rule is being ignored. Am I doing this correctly?

    Thank you!

    Aaron



  • Did you clear states before you ran your test again? Existing states aren't affected by rule changes.



  • Just tried that and still no change. The rule is just ignored.



  • It sounds like you're doing it right. Here is a guide for how to redirect DNS to pfSense. Different ports & protocols, but the basics still apply.

    https://docs.netgate.com/pfsense/en/latest/dns/redirecting-all-dns-requests-to-pfsense.html

    Test it with a packet capture running and see what's going in and going out of pfSense LAN interface.



  • :( Ok. Well, That's actually the guide I based it off to set it up originally. I even have Nat Reflection Disabled on it like the guide says.

    I will try and look packet capturing, but I'm not sure that will do much because it'll just say my client is going out to the address of the webpage I'm accessing.



  • If you don't know what's going on then a packet capture is the only way to find out, otherwise you're just guessing and scratching your head.

    Post a screen shot of your LAN rules page.



  • Here is the packets.

    09:30:27.714780 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
    09:30:27.869182 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
    09:30:27.869606 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 0
    09:30:27.869895 IP 10.40.162.203.53896 > 37.1.220.74.80: tcp 434
    09:30:28.031529 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 0
    09:30:28.039424 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460
    09:30:28.040341 IP 37.1.220.74.80 > 10.40.162.203.53896: tcp 1460



  • LAN.png



  • Change your Source port from 80 to * in your NAT rule. Source ports are random and dynamically assigned.



  • Made a little progress with that change... But still no go. Now I can't get out at all on port 80. Even if I go to a command prompt and try and telnet, it's like the port isn't open...

    I tried: telnet www.google.com 80

    Packets captured:
    10:19:42.355820 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
    10:19:42.355925 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
    10:19:45.368340 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
    10:19:45.368417 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0
    10:19:46.899623 ARP, Request who-has 10.40.162.1 (00:15:5d:a2:5a:07) tell 10.40.162.203, length 46
    10:19:46.899654 ARP, Reply 10.40.162.1 is-at 00:15:5d:a2:5a:07, length 28
    10:19:51.368321 IP 10.40.162.203.53984 > 172.217.7.228.80: tcp 0
    10:19:51.368371 IP 10.40.162.203.53984 > 10.40.162.94.808: tcp 0

    I also confirmed, I can telnet into 10.40.162.94 808. This works. So, I know it's something with the route still.

    Also, FYI, I verified I can telnet www.google.com 80 from my Proxy machine. That works, so I know the proxy can still get out :)



  • The redirect is working according to your capture. Did you change the Source from * back to !10.40.162.94?



  • Yes. I never changed the Source IP. Only the Source port. Source port is now *. Source IP is still !10.40.162.94



  • I don't know what your other system is doing, but the NAT is working as expected. Time to look at it from the proxy's perspective.



  • Ok. I will play more with it! I really appreciate your help!

    I'm confused because if I manually set my proxy on my machine to 10.40.162.94, it works. So I know the proxy is functional.


Log in to reply